Video records are available!

Download the program

Keynotes

From zero to sixty in three years

It takes time to build a mature security program, particularly at rapidly-growing companies that are innovating. In addition, cloud computing enables innovation and scale but does not necessarily simplify a company’s security needs and strategy. In this keynote, we look at some of the security and privacy challenges that young companies face today. We share some anecdotes and lessons learned from our own experiences as we grew rapidly in a cloud-first environment.

Jad Boutros

Chief Security OfficerSnapchat, Inc.

Jad Boutros joined Snap Inc. in 2014, where he serves as the Chief Security Officer. Jad is responsible for information security, privacy engineering, and spam and abuse.

Jad has over twenty years of experience in software development and security. Prior to joining Snap Inc., Jad worked in information security at Google for over nine years, and led the security efforts for Google+ since the project’s inception. Jad holds a bachelor’s degree in computer engineering from McGill University and a master’s degree in computer science from Stanford University.

This presentation will try to present and illustrate the evolution of the IT-security landscape in Switzerland. What challenges we had to face, what are the ones we still need to address.

Paul Such

CEOHacknowledge

Paul Such is an engineer and entrepreneur passionate about IT-security. He founded SCRT in 2002 and managed the company durning 15 years.

Paul is now the CEO of Hacknowledge, a managed detection response Swiss company.

Track "attacks"

Fingerprint all the things with scannerl

Scannerl (https://github.com/kudelskisecurity/scannerl) is a modular distributed fingerprinting engine implemented by Kudelski Security. It can fingerprint thousands of targets on a single host, but can just as easily be distributed across multiple hosts by leveraging the power of Erlang and its actor model.

Adrien Giner

Kudelski Security

Security researcher and author of scannerl.

Security review of proximity technologies: beacons and physical

With the growing expansion of the IoT, proximity technologies are becoming more and more important to interact with things around us. Apple and Google have released their own beacon protocol, namely iBeacon and Eddystone, but are they really secure for any kind of use? We will study thoroughly both protocols and their capabilities, and discuss several vulnerabilites, illustrating them with live demos. Additionally, we will see that future protocols will unfortunately allow very long-range fingerprinting and attacks on most IoT devices, so we will give recommendations to reduce these threats.

Renaud Lifchitz

Information Security ConsultantEconocom Digital Security

Renaud Lifchitz is a FR senior IT security consultant. He has a solid penetration testing, training and research background. His main interests are secure programming, protocol security (authentication, cryptography, protocol security, information leakage, zero-knowledge proof, RFID security) and number theory. He currently mostly works on wireless protocols security and was speaker for many international conferences. Renaud's significant security studies are about : contactless debit cards, GSM geolocation, blockchain, RSA signatures, Sigfox, LoRaWAN, Vigik access control and quantum computation.

Locky Strike: Smoking the Locky Ransomware Code

Locky born early 2016 had quickly become one of the prevalent pieces of ransomware in the wild having massive campaigns that landed on at least 90,000 PCs per day [1] around the world on its early debut. It was clear during that time that Locky would be a major ransomware threat that both end-users and enterprises would be facing.
More than a year and a half later, Locky continues its massive ransomware attacks at a scale of 23 million infected emails being circulated in just 24 hours [2]. Locky also holds majority of the ransomware profit with a conservative figure of $7.8 million [3] in it’s less than 2 years of operation. The more revenue Locky ransomware generates, equates to more it can invest in it being effective and being distributed more widely.
The talk will detail the result of the continuous monitoring of Locky. This will delve into the technical details of the Locky ransomware. It will focus on three technical aspects: its system behaviour, its configuration, and C&C communication.
Initially, the topic will talk about Locky’s prevalence in the wild and how it behaves on landing on a PC. An overview on the timeline of Locky’s changes and improvements to remain effective will be presented.
The talk will also have a detailed understanding of the configuration of Locky, this would include the automation on extracting said configuration.
The talk will also explore Locky’s obfuscated C&C communications including its parameters, encryption and decryption. As a result of these findings we will have a better understanding on how Locky communicates to its C&C and the data being sent on every request.
Finally, using the technical knowledge acquired in the research, the talk will conclude with some insights into Locky's operation and how these findings ultimately translate to actionable threat intelligence that can be used to protect users.
This research has been co-authored by the speaker and his teammate Floser Bacurio Jr.

Rommel Joven

Fortinet

Rommel Joven is a Malware Researcher at Fortinet. He finished his Bachelor’s degree in electronics engineering at Saint Louis University in 2012.
Prior to joining Fortinet, he started his early career in cybersecurity and learning reverse engineering at Trend Micro as a threat response engineer. As a novice, he has developed strong interest and become keen to learn more about cybersecurity. He is now further involved in hunting new malware ranging from ransomware to targeted attacks.
He is a regular contributor to Fortinet's Security Research blog where he writes about up to date malware such as MacRansom a first in OSX ransomware in 2017. During his spare time, he enjoys sports activities like basketball and playing online games.

Java JSR 241 and 341 - RCE state of mind

Over the year, Java Specification Requests have been appeared such JSR 241 (Groovy) or JSR-245 (Unified Expression Language) to fit some needs like scripting, separating Java code in controllers from view and to allow easier access to Java components in MVC web applications.
Different libraries have been developed to implement these requests and all of them allow runtime code execution in some of their functions. Developers willing to support functionalities needing runtime execution have heavily used them.
This wide usage and the lack of knowledge of developers on the sensitivity of these functions have led to the introduction of notable remote code execution vulnerabilities.
During this presentation we will cover the different libraries by showing previous vulnerabilities that affected applications using them. We will also cover how to safely use these libraries.

Gregory Draperi

Gregory has been in the IT field for 10 years with various experiences in application Security, IAM and organizational security. He has been focused in application security for the past five years and involved himself in security researches mainly in Java security.
During this time, he has been able to find critical issues in a high number of products covering a large portfolio of companies (Cisco, Google, JBoss, Sophos, Trend Micro).

Exploiting hash collisions

When a hash function is first broken,
the restrictions on the colliding PoCs pair are very complex:
it’s not uncommon that the first public PoCs are just random-looking blocks,
with no impact whatsoever on any system, besides being different and with the same hash.
In some cases, an identical prefix can be present on the start of both files of the colliding pair,
and the collisions blocks are calculated on this exact prefix.
It’s then possible to plan in advance a file structure, and craft a prefix that,
despite all the randomness of the collision blocks, will lead to a pair of valid files,
reliably working, with different and arbitrary contents.
A world of prettifying academic results to convince people to deprecate algorithms,
where file formats rules have to be bend to play along with cryptographic restrictions,
where PoCs are planned several years before they can be implemented,
with a lot of computing power at stake.

Ange Albertini

Parsing JSON is a Minefield

JSON is the de facto standard when it comes to (un)serialising and exchanging data in web and mobile applications. But how well do you really know JSON?

I examined closely JSON specifications, wrote a corpus of test cases and tested various libraries against them. It turns out that JSON is not an easy and harmless format as many do believe. Indeed, I did not find two libraries that exhibit the very same behaviour.

Moreover, I found that edge cases and maliciously crafted payloads can cause bugs, crashes and denial of services, including a stack overflow in SQLite. This is because JSON libraries rely on specifications that have evolved over time and that left many details loosely specified or not specified at all.

This talk shows how to find bugs by reading RFCs and raises awareness about the risks of simple specifications.

Nicolas Seriot

10+ years of professional programming on Apple platforms.
Still fascinated by bad code, stupid process, ambiguous specifications and everything that goes wrong.

Track "lessons learned"

Security Breaches: what's your legal obligations and how to survive to a breach?

In Switzerland, the revision of the Data Protection Act will introduce a data breach notification obligation when personal data are at stake, similar to what prevails in most US States and what will be the standard in the EU with the GDPR. This is a huge change of paradigm.

Companies shall be ready and trained to face those new obligations. However, they first need to understand what is mandatory and the risks they are facing. Not disclosing a breach when required is a criminal offense, but the company often does not want to disclose a breach if this is not necessary, or simply prefer to disclose it latter.

We will cover the upcoming legal obligations applicable mainly to Swiss based organizations and the best practices to implement.

Sylvain Métille

Attorney-at-lawHDC

Sylvain Métille is a Partner at the law firm HDC in Lausanne (Switzerland). Recognized as a leading lawyer in TMT by Chambers & Partners, Legal500 and the Best Lawyers, he has more than ten years' experience at the bar. As a privacy / data protection and IT / advanced technology specialist, he regularly assists local and multinationals companies when it comes to data, surveillance, IT or computer crime.
Sylvain is also a lecturer at Lausanne University (Computer Crime Law) and at the International Institute of Management in Technology in Fribourg (Data Protection). He regularly publishes and gives conferences. He finally runs a blog about law and information technologies.
He obtained his J.D (2003) and PhD in Law with Honors (summa cum laude, 2010) from University of Neuch‚tel. Admitted to the Swiss Bar in 2005, he gained a solid experience within several law firms. He has been invited as a Visiting Scholar by the Berkeley Center for Law and Technology (University of California) in 2010-2011.

95% of Fortune 500 companies use active directory services, I will share attacks around Active Directory environment, and more specifically how to detect and prevent these actively without giving links to multi-million product vendors. These mitigations are taken from the last 10 years of real world scenarios and my study around this subject.
These are assured takeaways to help your network without much fuss in terms of time and resource investment. C'mon, the humble AD needs your help!

Harman Singh

Director & Managing ConsultantDefendza

Harman is a co-founder and director at Defendza, a boutique IT security consultancy based out of the Manchester, UK. His day job involves working with CISO's, security managers to understand their requirements and help secure their most prized assets. Besides performing security assessments for several years, he's delivered trainings at Black Hat USA and corporate teams covering advanced infrastructure security. When he is away from his desk, he loves to play any sport or relax with a pint of beer.

Hydrabus: Lowering the entry fee to the IoT bugfest

The HydraBus is an evolutive multi-tool hardware which help you to Analyze/Debug/Hack/PenTest all types of electronic bus/chipset.
HydraBus is here because today we have plenty of IoT embedded hardware without having good open tools to analyze/debug/hack or test them.
This talk will focus on the hardware and mainly embedded open source firmware(hydrafw) / user commands features to be used by any guys interested in embedded hardware hacking from beginner to experienced hacker.

Benjamin Vernoux

IngénieurHydrabus

Benjamin Vernoux created the HydraBus project including main hardware(hydrabus) and firmware(hydrafw) 3 years ago. He also worked on some well known open source software for SDR projects like airspy and hackrf during lot of years.

Fighting Cyber Threats to Switzerland

.

Mauro Vignati

Head of CyberSwiss Government

Let’s Play with WinDBG & .NET

.NET is an increasingly important component of the Microsoft ecosystem providing a shared framework. Many Microsoft tools, such as PowerShell, rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform. During the presentation, I will explain how to automate .NET analysis with WinDBG the Microsoft debugger. To illustrate my talk, I will show how to analyse PowerShell scripts with WinDBG and how to automatically unpack a .NET packer family discovered recently. The presentation includes several live demo on WinDBG usage in this specific context.

Paul Rascagneres

Senior Software EngineerCisco Talos

Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.

Leveraging threat modelling for improved information risk management

Threat modelling is about using models to find security problems. In other words, it provides a methodical approach to performing a security evaluation. Some of the existing models such as Adam Shostack's STRIDE have become popular within the software development industry. Thus, threat modelling is today considered as a key activitty within secure software development methodologies. In this presentation, we propose to provide return on experiencce about how threat modelling can be leveraged in organisations to perform risk assessments and improve security management. Available methodologic variants, expected benefits of threat modelling, approach limitations and possible issues, existing tools, we will try to draw an accurate picture of where threat modelling currently stands. The presentation will be illustrated by concrete examples. As a second step we will explore possibilities to industrialise threat modelling, integrate it into a global risk management framework and make it an efficient process in the corporate environment for the sake of information security.

Stéphane Adamiste

Information Security ConsultantELCA Informatique SA

Stéphane is an information security and privacy consultant currently working for one of the main Swiss software development and integration company. In his daily work, he collaborates with projetcs delivered by his colleagues, taking in charge the security assurance part and delivers consulting mandates on various security-related topics directly to customers.

Turla APT - Attack against Ruag Conf

The Turla actor group has successfully attacked the MFA in Switzerland as well as defense company RUAG. Since then, GovCERT.ch has been analyzing the tactics and toolbox of this group. We are going to present the malware involved, detection possibilities, as well as defense strategies. The talk is based mainly on the already published report about the Ruag incident (https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case).

This talk is held under TLP RED, so no recording or broadcasting possible.

Andreas Greulich

MELANI/GovCERT.ch

Andreas Greulich was born in 1967 and studied Applied Mathematics at the University of Berne, which he finished with his PhD about genetic algorithms in 1995. He then joined the Swiss Federal Office of Information Technology, Systems and Telecommunication (FOITT), and changed to the Federal IT Steering Unit a few years later, with focus on network security. Since 2007, he's malware researcher at GovCERT.ch, which is part of MELANI, the Reporting and Analysis Centre for Information Assurance. Besides, he's giving courses in Reverse Engineering at the University of Applied Science in Berne.

Reto Inversini

MELANI/GovCERT.ch

Reto Inversini was born in 1971 and studied Geography / Climatology at the University of Berne and Information Technology at the University of Applied Science. He worked for Amnesty International as a Network Engineer and for the Swiss Federal Office of Information Technology, Systems and Telecommunication (FOITT) as a Security Architect. Currently he works in a double role as a Security Officer and Technical Analyst at GovCERT.ch. He is a part time teacher at the University of Applied Science in Bern and Biel in the domains of Security Incident Response, Network Design and Security Architecture.

DDoS attacks are one of the most prominent threats on the Internet nowadays. In this talk, we explore how hackers exploit servers with weak SSH credentials to build an army of botnets, later used to run high-volume DDoS attacks. After showcasing an experimentation where a honeypot was used to understand the attack pattern and collect relevant malware samples, we reverse engineer the Xor DDoS malware and break down its obfuscation mechanisms, the communication with its command and control server, and how it spreads in a vulnerable system.

Christophe Tafani-Dereeper

Master StudentEPFL

Christophe Tafani-Dereeper is an information security enthusiast and master student at the Swiss Federal Institute of Technology (EPFL). He holds a [blog] where he writes about his main interests that are information security, malware analysis, and linux administration.

Improvements to Internet Voting in Geneva

The voting and election processes are the backbone of Swiss democracy and threats to those processes are not to be taken lightly. For this reason, the Federal Chancellery introduced new rules and requirements on Internet Voting systems back in 2014, defining thresholds on the availability of Internet Voting, subjected to three increasing compliance levels.
This talk will introduce some of the security properties defined in the federal requirements, and summarize the work done in collaboration between the eVoting group at the Berner Fachhochschule and the State of Geneva.

Thomas Hofer

Technical expertEtat de Genève

Thomas Hofer studied at EPFL, where his master thesis received the Kudelski Award, for its significant contribution to information systems security. After some experience as a Java Consultant, he started working on Internet Voting for the State of Geneva, where his responsibilities shifted from software developer to in-house security and cryptography expert. In his free time, he is co-chapter leader for the OWASP Geneva Chapter.

Snuffleupagus - Killing bugclasses in php7, virtual-patching the rest

Suhosin is a great php module, but unfortunately, it's getting old, new ways have been found to compromise php applications, and some aren't working anymore; and it doesn't play well with the shiny new php7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) php security module, that provides several features that we needed: passively killing several php-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications' code.

Julien Voisin

NBS System

Julien (jvoisin) Voisin used to pwn and reverse stuff while contributing to radare2, he nowadays focus on protecting web stuff while keeping his own bug alive on websec.fr and writing stuff on dustri.org

Securing Data on the Cloud: Risks and Challenges

Andy Yen

Founder/CEOProton Mail

Andy has over 8 years of experience in distributed computing for demanding particle physics applications. Andy was a researcher at CERN from 2009 to 2015, where ProtonMail's founding team met. He has a PhD in Physics from Harvard and a degree in Economics from Caltech.

Securing data even when endpoints or networks get breached

Today we know that breaches are inevitable and when they are finally detected, it’s usually too late: enterprise data is already stolen, corrupted, or destroyed. The overwhelming majority of these attacks happen through endpoints because (1) endpoints grant access to data and (2) attackers have plenty of ways to break into endpoints, like phishing, social engineering, malware, and dozens more. So how do you protect enterprise data when endpoints get breached? This talk will introduce the concept of a data firewall that allows organizations to monitor, control, and regulate access to sensitive information, and protect them against all forms of data theft, compromise and ransomware even under breach conditions. A data firewall isolates critical data from threats even after an endpoint or the network has been breached, long before the attack can be discovered and remediated. This technology has been validated through issued patents and powered one of the finalists of the U.S. Department of Defense’s DARPA’s Cyber Grand Challenge.

Cristian Zamfir

Chief Operations OfficerCyberhaven

Dr. Cristian Zamfir co-founded Cyberhaven and leads operations. Cristian is the inventor of Execution Synthesis, which is an acclaimed technique that automates the debugging of concurrent software. Cristian previously held research positions at UC Berkeley and Microsoft, and earned a Ph.D. in computer science from EPFL.

Workshops

Workshop: Hands-On Security Lab with Hacking-Lab

This training is based on the Hacking-Lab platform (hacking-lab.com), providing an online lab with several hundreds of different security challenges. Participants of this training will be granted access to several challenges in Hacking-Lab, where they can exercise their skills or learn with step-by-step instructions on how to exploit vulnerable web applications. After a common introduction, participants can select the desired difficulty level and solve the proposed challenges at their own pace, with the support of the trainers. A LiveCD environment, including all required tools, is provided as working environment. Participants are required to bring their own laptop with the provided virtual machine image installed (available at media.hacking-lab.com).

This training is open to anyone interested in IT security (e.g. application developers, system administrators, CISOs, etc). The technical level is pretty much open, the trainers provide individual support to the participants during the training. To work with the lab environment, participants are expected to have basic experience working with the linux command line and also have basic knowledge of the HTTP protocol.

Requirements for participants:

Laptop

Virtual Box or VMWare player

Hacking-Lab LiveCD (media.hacking-lab.com)

Philipp Sieber

Compass Security

Philipp Sieber is managing director of Compass Security Cyber Defense AG, and responsible for Hacking-Lab. Before joining Compass Security, he worked as a software engineer and security architect, in the field of E-Banking. Philipp Sieber holds a MSc degree in Computer Science from the Swiss Federal Institute of Technology in Zurich (ETHZ), and a CISSP certification.

Nicolas Heiniger

Compass Security

Nicolas Heiniger has worked several years as a network & security engineer in public and private companies before joining Compass Security as a security analyst. He is most interested in web application, networks and new challenges. Nicolas Heiniger holds a MSc degree in Computer Science from the Swiss Federal Institute of Technology (ETH/EPF) in Lausanne.

Sylvain Heiniger

Compass Security

Sylvain Heiniger works as a Security Analyst for Compass Security. He is interested in testing networks, web applications and new technologies. Sylvain Heiniger holds a MSc degree in Computer Science from the Swiss Federal Institute of Technology (ETH/EPF) in Lausanne with a Minor in Information Security.

Workshop: Hydrabus on IoT

The workshop is the continuation of the talk Hydrabus : Lowering the entry fee to the IoT bugfest where the attendance will be able to try by themselves practical examples of physical attacks on small challenges.
A VirtualBox image will be provided so it's highly advised to come with a laptop ready to run such an image. Notions in C language are strongly recommended. The workshop will be organized with a maximum of ten people.

The VirtualBox Image (based on Ubuntu 16.x) and materials will be provided to participants at start of workshop.

Benjamin Vernoux

IngénieurHydrabus

Benjamin Vernoux created the HydraBus project including main hardware(hydrabus) and firmware(hydrafw) 3 years ago. He also worked on some well known open source software for SDR projects like airspy and hackrf during lot of years.

Black Alps’ badge hacking

Nicolas Oberli

Black Alps

CFP

Call For Proposals: Talks and Workshops

Proposal submission

The submission process is now closed (it was open until 31 July 2017).

For any questions regarding the call for proposals, please contact us at .

Program committee

The Program committee is composed of internationally renowned experts in the field responsible for building a program of quality. They will collect the proposals and select the most outstanding ones.